Since WordPress sites need to allow their users to upload new content, WordPress’ upload directory needs to be writable. To such an extent, your wp-contnet/uploads directory should be considered a potential entry point. The biggest potential threat is the uploading of PHP files. WordPress won’t…
With DDoS attacks on the rise, could you be a botnet zombie?
A report recently published by Imperva has reported that more than half of web traffic comes from bots rather than human visitors. They have also noted some changes in the type of bots observed, including a predictable yet worrying trend in impersonator bots, which now…
WordPress Security Tips Part 8 – Restrict Direct Access to Plugin and Theme PHP files
Allowing direct access to PHP files can be dangerous for a number of reasons. Some plugins and theme files can contain PHP files that are not designed to be called directly because the file would be calling functions that would have been defined in other…
Obama’s State of the Union address highlights cyber security
In the aftermath of the Sony Pictures attack and now the hacking of the Pentagon’s social media accounts, the introduction of tougher cyber security laws has been inevitable. The main points to take from these new laws is that it will no longer be only the attacker…
WordPress Security Tips Part 7 – Enabling HTTPS for all logins and wp-admin
Strictly speaking, HTTPS is not a protocol in and of itself, but it is rather HTTP encapsulated in TLS/SSL. TLS, or SSL, as it is commonly referred to, provides websites and web applications with encryption of data being transmitted and authentication to verify the identity…
WordPress Security Tips Part 6 – Disable File Editing
Disable File Editing By default, WordPress allows administrative users to edit PHP files of plugins and themes inside of the WordPress admin interface. This is often the first thing an attacker would look for if they manage to gain access to an administrative account since…
WordPress Security Tips Part 5 – Restrict Access to wp-admin Directory
Password protecting your WordPress admin area through a layer of HTTP authentication is an effective measure to thwart attackers attempting to guess users’ passwords. Additionally, if attackers manages to steal a user’s password, they will need to get past HTTP authentication in order to gain…
Predictions and challenges for website security in 2015
What Happened in 2014 2014 will be remembered for many things; it’s the year HTML5 has been given the green light and the year JavaScript has been used to provide dynamic content more than ever before. We have also seen major version releases in important…
What to look for when choosing a web vulnerability scanner
Evaluating a web vulnerability scanner is not the easiest of tasks. With a multitude of open source and commercial products to choose from, all promising to provide the best of breed scanning functionality, choosing the right web vulnerability scanner is a tough, albeit important decision….